Osama’s Diabolical Plan for Secure E-Mail: Thumb Drives

Does al-Qaida really not have an IT department?

The U.S. intelligence officials poring over Osama bin Laden’s hard drives and recording devices have come to the preliminary conclusion that he managed “even tactical details” of the terror group’s business from Abbottabad. But bin Laden kept the compound off the communications grid to avoid the watchful eyes of American spy services like the National Security Agency. So how’d he deliver his instructions?

Not in a sophisticated way. He would compose a message to an operative on his personal computer, place the document on a flash drive and give it to a courier. Officials explain to the Associated Press that the courier would drive to a “distant internet cafe,” stick the drive into a cafe computer’s USB, and send off bin Laden’s message in an e-mail.

Spot the security flaws here. Who knows what nasty worms lurk in Pakistani internet cafes. If the flash drives get infected, so too could bin Laden’s computers, assuming the drives don’t get discarded after one use like burner phones.

Wasn’t the NSA watching Pakistani internet cafes or monitoring suspicious IP addresses? Was no U.S. operative ready to send out a virus?

You’d think a more secure alternative would have been to set up a dummy web-based e-mail account called something innocuous like Catlover622@webmail, distribute a password to need-to-know operatives, send a message to a non-existent address, and let everyone log in to read the bounceback e-mail.

Sure, bin Laden evaded a manhunt for a decade. But it appears his network security strategy wasn’t designed by people familiar with all internet traditions.